| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20191208233155.GH795@breakpoint.cc>
Date: Mon, 9 Dec 2019 00:31:55 +0100
From: Florian Westphal <fw@...len.de>
To: Eric Dumazet <edumazet@...gle.com>
Cc: Pablo Neira Ayuso <pablo@...filter.org>,
Jozsef Kadlecsik <kadlec@...ckhole.kfki.hu>,
Florian Westphal <fw@...len.de>,
netfilter-devel@...r.kernel.org, netdev <netdev@...r.kernel.org>,
Eric Dumazet <eric.dumazet@...il.com>,
syzbot <syzkaller@...glegroups.com>
Subject: Re: [PATCH netfilter] netfilter: bridge: make sure to pull arp
header in br_nf_forward_arp()
Eric Dumazet <edumazet@...gle.com> wrote:
> syzbot is kind enough to remind us we need to call skb_may_pull()
[..]
> Fixes: c4e70a87d975 ("netfilter: bridge: rename br_netfilter.c to br_netfilter_hooks.c")
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
> Reported-by: syzbot <syzkaller@...glegroups.com>
> ---
>
> Note: Fixes: tag does not point to real bug origin, but is old enough
> to cover all stable versions.
Indeed, looks like a day0 bug. We don't have this problem for ipv4/6
because the prerouting hook does pskb_may_pull() as part of ipv4/6
header checks. Arp doesn't have anything like it.
> nf_bridge_pull_encap_header(skb);
> }
>
> + if (unlikely(!pskb_may_pull(skb, sizeof(struct arphdr))))
> + return NF_DROP;
> +
> if (arp_hdr(skb)->ar_pln != 4) {
Thats indeed the only location where we call NFPROTO_ARP hooks,
so this looks like the proper fix/location.
Thanks Eric!
Reviewed-by: Florian Westphal <fw@...len.de>
Powered by blists - more mailing lists